Interface AuthorizationEngine
An AuthorizationEngine is responsible for making the core decisions about whether a request
should be authorized or not. The engine can and usually will be called multiple times during
the authorization of a request. Security categorizes requests into a few different buckets
and uses the action name as the indicator of what a request will perform. Internally, the
action name is used to map a TransportRequest to the actual
TransportAction that will handle the request.
Requests can be a cluster request or an indices request. Cluster requests are requests that tend to be global in nature; they could affect the whole cluster. Indices requests are those that deal with specific indices; the actions could have the affect of reading data, modifying data, creating an index, deleting an index, or modifying metadata.
Each call to the engine will contain a AuthorizationEngine.RequestInfo object that contains the request,
action name, and the authentication associated with the request. This data is provided by the
engine so that all information about the request can be used to make the authorization decision.
The methods of the engine will be called in the following order:
resolveAuthorizationInfo(RequestInfo, ActionListener)to retrieve information necessary to authorize the given user. It is important to note that theAuthorizationEngine.RequestInfomay contain anAuthenticationobject that actually has two users when the run as feature is used and this method should resolve the information for both. To check for the presence of run as, use theAuthentication.isRunAs()method.authorizeRunAs(RequestInfo, AuthorizationInfo, ActionListener)if the request is making use of the run as feature. This method is used to ensure the authenticated user can actually impersonate the user running the request.authorizeClusterAction(RequestInfo, AuthorizationInfo, ActionListener)if the request is a cluster level operation.authorizeIndexAction(RequestInfo, AuthorizationInfo, AsyncSupplier, Metadata, ActionListener)if the request is a an index action. This method may be called multiple times for a single request as the request may be made up of sub-requests that also need to be authorized. The async supplier for resolved indices will invoke theloadAuthorizedIndices(RequestInfo, AuthorizationInfo, Map, ActionListener)method if it is used as part of the authorization process.
NOTE: the loadAuthorizedIndices(RequestInfo, AuthorizationInfo, Map, ActionListener)
method may be called prior to authorizeIndexAction(RequestInfo, AuthorizationInfo, AsyncSupplier, Metadata, ActionListener)
in cases where wildcards need to be expanded.
Authorization engines can be called from various threads including network threads that should not be blocked waiting for I/O. Network threads in elasticsearch are limited and we rely on asynchronous processing to ensure optimal use of network threads; this is unlike many other Java based servers that have a thread for each concurrent request and blocking operations could take place on those threads. Given this it is imperative that the implementations used here do not block when calling out to an external service or waiting on some data.
-
Nested Class Summary
Nested ClassesModifier and TypeInterfaceDescriptionstatic interfacestatic final classstatic interfaceInterface for objects that contains the information needed to authorize a requeststatic classRepresents the result of authorization to tell whether the actions should be grantedstatic interfaceUsed to retrieve index-like resources that the user has access to, for a specific access action type and selector, at a specific point in time (for a fixed cluster state view).static final classImplementation of authorization info that is used in cases where we were not able to resolve the authorization infostatic classAn extension ofAuthorizationEngine.AuthorizationResultthat is specific to index requests.static final recordHolds information about authorization of a parent action which is used to pre-authorize its child actions.static final classThe result of a (has) privilege check.static final recordThis encapsulates the privileges that can be checked for access.static final classA class that encapsulates information about the request that is being authorized including the actual transport request, the authentication, and the action being invoked. -
Method Summary
Modifier and TypeMethodDescriptionvoidauthorizeClusterAction(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<AuthorizationEngine.AuthorizationResult> listener) Asynchronously authorizes a cluster action.voidauthorizeIndexAction(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, AuthorizationEngine.AsyncSupplier<ResolvedIndices> indicesAsyncSupplier, Metadata metadata, ActionListener<AuthorizationEngine.IndexAuthorizationResult> listener) Asynchronously authorizes an action that operates on an index.voidauthorizeRunAs(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<AuthorizationEngine.AuthorizationResult> listener) Asynchronously authorizes an attempt for a user to run as another user.voidcheckPrivileges(AuthorizationEngine.AuthorizationInfo authorizationInfo, AuthorizationEngine.PrivilegesToCheck privilegesToCheck, Collection<ApplicationPrivilegeDescriptor> applicationPrivilegeDescriptors, ActionListener<AuthorizationEngine.PrivilegesCheckResult> listener) Checks the privileges from the provided authorization information against those that are being requested to be checked.default voidgetRoleDescriptorsIntersectionForRemoteCluster(String remoteClusterAlias, TransportVersion remoteClusterVersion, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<RoleDescriptorsIntersection> listener) Retrieve privileges towards a remote cluster, from the provided authorization information, to be sent together with a cross-cluster request (e.g.voidgetUserPrivileges(AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<GetUserPrivilegesResponse> listener) Retrieve the privileges, from the provided authorization information, in a standard format that can be rendered via an API for a client application to understand the privileges that the Subject has.voidloadAuthorizedIndices(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, Map<String, IndexAbstraction> indicesLookup, ActionListener<AuthorizationEngine.AuthorizedIndices> listener) Asynchronously loads a set of alias and index names for which the user is authorized to execute the requested action.voidresolveAuthorizationInfo(Subject subject, ActionListener<AuthorizationEngine.AuthorizationInfo> listener) Asynchronously resolves the information necessary to authorize requests in the context of the givenSubject.voidresolveAuthorizationInfo(AuthorizationEngine.RequestInfo requestInfo, ActionListener<AuthorizationEngine.AuthorizationInfo> listener) Asynchronously resolves the information necessary to authorize the given request, which has already been authenticated.voidvalidateIndexPermissionsAreSubset(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, Map<String, List<String>> indexNameToNewNames, ActionListener<AuthorizationEngine.AuthorizationResult> listener) Asynchronously checks that the permissions a user would have for a given list of names do not exceed their permissions for a given name.
-
Method Details
-
resolveAuthorizationInfo
void resolveAuthorizationInfo(AuthorizationEngine.RequestInfo requestInfo, ActionListener<AuthorizationEngine.AuthorizationInfo> listener) Asynchronously resolves the information necessary to authorize the given request, which has already been authenticated. This could include retrieval of permissions from an index or external system. See alsoresolveAuthorizationInfo(Subject, ActionListener), for which this method is the more specific sibling. This returns the specificAuthorizationInfoused to authorize only the specified request.- Parameters:
requestInfo- object containing the request and associated information such as the action name and associated user(s)listener- the listener to be notified of success usingActionListener.onResponse(Object)or failure usingActionListener.onFailure(Exception)
-
resolveAuthorizationInfo
void resolveAuthorizationInfo(Subject subject, ActionListener<AuthorizationEngine.AuthorizationInfo> listener) Asynchronously resolves the information necessary to authorize requests in the context of the givenSubject. This could include retrieval of permissions from an index or external system. See alsoresolveAuthorizationInfo(RequestInfo, ActionListener), for which this method is the more general sibling. This returns theAuthorizationInfothat is used for access checks outside the context of authorizing a specific request, i.e.checkPrivileges(AuthorizationInfo, PrivilegesToCheck, Collection, ActionListener)- Parameters:
subject- object representing the effective userlistener- the listener to be notified of success usingActionListener.onResponse(Object)or failure usingActionListener.onFailure(Exception)
-
authorizeRunAs
void authorizeRunAs(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<AuthorizationEngine.AuthorizationResult> listener) Asynchronously authorizes an attempt for a user to run as another user.- Parameters:
requestInfo- object contain the request and associated information such as the action and associated user(s)authorizationInfo- information needed from authorization that was previously retrieved fromresolveAuthorizationInfo(RequestInfo, ActionListener)listener- the listener to be notified of the authorization result
-
authorizeClusterAction
void authorizeClusterAction(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<AuthorizationEngine.AuthorizationResult> listener) Asynchronously authorizes a cluster action.- Parameters:
requestInfo- object contain the request and associated information such as the action and associated user(s)authorizationInfo- information needed from authorization that was previously retrieved fromresolveAuthorizationInfo(RequestInfo, ActionListener)listener- the listener to be notified of the authorization result
-
authorizeIndexAction
void authorizeIndexAction(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, AuthorizationEngine.AsyncSupplier<ResolvedIndices> indicesAsyncSupplier, Metadata metadata, ActionListener<AuthorizationEngine.IndexAuthorizationResult> listener) Asynchronously authorizes an action that operates on an index. The indices and aliases that the request is attempting to operate on can be retrieved using theAuthorizationEngine.AsyncSupplierforResolvedIndices. The resolved indices will contain the exact list of indices and aliases that the request is attempting to take action on; in other words this supplier handles wildcard expansion and datemath expressions.- Parameters:
requestInfo- object contain the request and associated information such as the action and associated user(s)authorizationInfo- information needed from authorization that was previously retrieved fromresolveAuthorizationInfo(RequestInfo, ActionListener)indicesAsyncSupplier- the asynchronous supplier for the indices that this request is attempting to operate onmetadata- a map of a string name to the cluster metadata specific to that alias or indexlistener- the listener to be notified of the authorization result
-
loadAuthorizedIndices
void loadAuthorizedIndices(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, Map<String, IndexAbstraction> indicesLookup, ActionListener<AuthorizationEngine.AuthorizedIndices> listener) Asynchronously loads a set of alias and index names for which the user is authorized to execute the requested action.- Parameters:
requestInfo- object contain the request and associated information such as the action and associated user(s)authorizationInfo- information needed from authorization that was previously retrieved fromresolveAuthorizationInfo(RequestInfo, ActionListener)indicesLookup- a map of a string name to the cluster metadata specific to that alias or indexlistener- the listener to be notified of the authorization result
-
validateIndexPermissionsAreSubset
void validateIndexPermissionsAreSubset(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, Map<String, List<String>> indexNameToNewNames, ActionListener<AuthorizationEngine.AuthorizationResult> listener) Asynchronously checks that the permissions a user would have for a given list of names do not exceed their permissions for a given name. This is used to ensure that a user cannot perform operations that would escalate their privileges over the data. Some examples include adding an alias to gain more permissions to a given index and/or resizing an index in order to gain more privileges on the data since the index name changes.- Parameters:
requestInfo- object contain the request and associated information such as the action and associated user(s)authorizationInfo- information needed from authorization that was previously retrieved fromresolveAuthorizationInfo(RequestInfo, ActionListener)indexNameToNewNames- A map of an existing index/alias name to a one or more names of an index/alias that the user is requesting to create. The method should validate that none of the names have more permissions than the name in the key would have.listener- the listener to be notified of the authorization result
-
checkPrivileges
void checkPrivileges(AuthorizationEngine.AuthorizationInfo authorizationInfo, AuthorizationEngine.PrivilegesToCheck privilegesToCheck, Collection<ApplicationPrivilegeDescriptor> applicationPrivilegeDescriptors, ActionListener<AuthorizationEngine.PrivilegesCheckResult> listener) Checks the privileges from the provided authorization information against those that are being requested to be checked. This provides a way for a client application to ask if a Subject has permission to perform an action, before actually trying to perform the action, or if the subject has privileges to an application resource.- Parameters:
authorizationInfo- information used for authorization, for a specific Subject, that was previously retrieved usingresolveAuthorizationInfo(Subject, ActionListener)privilegesToCheck- the object that contains the privileges to check for the SubjectapplicationPrivilegeDescriptors- a collection of application privilege descriptorslistener- the listener to be notified of the check privileges response
-
getUserPrivileges
void getUserPrivileges(AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<GetUserPrivilegesResponse> listener) Retrieve the privileges, from the provided authorization information, in a standard format that can be rendered via an API for a client application to understand the privileges that the Subject has.- Parameters:
authorizationInfo- information used from authorization, for a specific Subject, that was previously retrieved fromresolveAuthorizationInfo(Subject, ActionListener)listener- the listener to be notified of the get privileges response
-
getRoleDescriptorsIntersectionForRemoteCluster
default void getRoleDescriptorsIntersectionForRemoteCluster(String remoteClusterAlias, TransportVersion remoteClusterVersion, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<RoleDescriptorsIntersection> listener) Retrieve privileges towards a remote cluster, from the provided authorization information, to be sent together with a cross-cluster request (e.g. CCS) from an originating cluster to the target cluster.
-